berbew | 7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Size

1.2MB
MD5

bf97e01db801efffe81fe58cc4fe6687
SHA1

9d4565a13ec82a56bab51d2f7dcff7bf4feed565
SHA256

7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd
SHA512

193c3aa3ba0a9cacc63646b253820ce8e6a3e659babc4c613e2723afbe3ddf8182876859500fef04e1371ebe84bab8f96b1b91eabf09c1004b36e6f0fffa1f3d
SSDEEP

24576:4gu5YyCtCCm0BKh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:4gu5RCtCXbazR0vk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efhqmadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoebgcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibhicbao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikjhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efhqmadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glpepj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fijbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gefmcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggmldfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibhicbao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iediin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoebgcol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fggmldfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjcaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieponofk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
2700	Efhqmadd.exe
2680	Eoebgcol.exe
2740	Eafkhn32.exe
2552	Fggmldfp.exe
1772	Fijbco32.exe
2396	Gefmcp32.exe
752	Glpepj32.exe
868	Gcjmmdbf.exe
2844	Hjcaha32.exe
2140	Hmdkjmip.exe
1748	Ieponofk.exe
1944	Ikjhki32.exe
1716	Iebldo32.exe
3020	Injqmdki.exe
1600	Iediin32.exe
748	Ibhicbao.exe
1640	Iegeonpc.exe
1700	Ijcngenj.exe
340	Imbjcpnn.exe
2112	Iclbpj32.exe
1984	Jjfkmdlg.exe
1428	Jpbcek32.exe
908	Jfmkbebl.exe
1836	Jikhnaao.exe
1688	Jpepkk32.exe
2748	Jmipdo32.exe
2716	Jfaeme32.exe
2728	Jpjifjdg.exe
2596	Jfcabd32.exe
836	Jhenjmbb.exe
1812	Jnofgg32.exe
2072	Keioca32.exe
2400	Koaclfgl.exe
2392	Khjgel32.exe
2616	Kmfpmc32.exe
948	Khldkllj.exe
2152	Koflgf32.exe
1488	Kdbepm32.exe
1368	Kipmhc32.exe
988	Kpieengb.exe
1792	Kkojbf32.exe
2408	Lplbjm32.exe
296	Lgfjggll.exe
444	Lidgcclp.exe
2976	Llbconkd.exe
2916	Loaokjjg.exe
2092	Lghgmg32.exe
2628	Lifcib32.exe
2456	Llepen32.exe
2940	Lcohahpn.exe
1524	Lemdncoa.exe
2960	Llgljn32.exe
536	Lofifi32.exe
1756	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2364	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
2364	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
2700	Efhqmadd.exe
2700	Efhqmadd.exe
2680	Eoebgcol.exe
2680	Eoebgcol.exe
2740	Eafkhn32.exe
2740	Eafkhn32.exe
2552	Fggmldfp.exe
2552	Fggmldfp.exe
1772	Fijbco32.exe
1772	Fijbco32.exe
2396	Gefmcp32.exe
2396	Gefmcp32.exe
752	Glpepj32.exe
752	Glpepj32.exe
868	Gcjmmdbf.exe
868	Gcjmmdbf.exe
2844	Hjcaha32.exe
2844	Hjcaha32.exe
2140	Hmdkjmip.exe
2140	Hmdkjmip.exe
1748	Ieponofk.exe
1748	Ieponofk.exe
1944	Ikjhki32.exe
1944	Ikjhki32.exe
1716	Iebldo32.exe
1716	Iebldo32.exe
3020	Injqmdki.exe
3020	Injqmdki.exe
1600	Iediin32.exe
1600	Iediin32.exe
748	Ibhicbao.exe
748	Ibhicbao.exe
1640	Iegeonpc.exe
1640	Iegeonpc.exe
1700	Ijcngenj.exe
1700	Ijcngenj.exe
340	Imbjcpnn.exe
340	Imbjcpnn.exe
2112	Iclbpj32.exe
2112	Iclbpj32.exe
1984	Jjfkmdlg.exe
1984	Jjfkmdlg.exe
1428	Jpbcek32.exe
1428	Jpbcek32.exe
908	Jfmkbebl.exe
908	Jfmkbebl.exe
1836	Jikhnaao.exe
1836	Jikhnaao.exe
1688	Jpepkk32.exe
1688	Jpepkk32.exe
2748	Jmipdo32.exe
2748	Jmipdo32.exe
2716	Jfaeme32.exe
2716	Jfaeme32.exe
2728	Jpjifjdg.exe
2728	Jpjifjdg.exe
2596	Jfcabd32.exe
2596	Jfcabd32.exe
836	Jhenjmbb.exe
836	Jhenjmbb.exe
1812	Jnofgg32.exe
1812	Jnofgg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eafkhn32.exe	Eoebgcol.exe
File opened for modification	C:\Windows\SysWOW64\Ibhicbao.exe	Iediin32.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Lbfchlee.dll	Ikjhki32.exe
File opened for modification	C:\Windows\SysWOW64\Iegeonpc.exe	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Eoebgcol.exe	Efhqmadd.exe
File opened for modification	C:\Windows\SysWOW64\Gcjmmdbf.exe	Glpepj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjcaha32.exe	Gcjmmdbf.exe
File created	C:\Windows\SysWOW64\Iediin32.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Cocajj32.dll	Eoebgcol.exe
File created	C:\Windows\SysWOW64\Ikedjg32.dll	Fggmldfp.exe
File opened for modification	C:\Windows\SysWOW64\Gefmcp32.exe	Fijbco32.exe
File created	C:\Windows\SysWOW64\Hjcaha32.exe	Gcjmmdbf.exe
File opened for modification	C:\Windows\SysWOW64\Injqmdki.exe	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Fggmldfp.exe	Eafkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Llepen32.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Gcjmmdbf.exe	Glpepj32.exe
File created	C:\Windows\SysWOW64\Bdgoqijf.dll	Glpepj32.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Ocfqdk32.dll	Eafkhn32.exe
File created	C:\Windows\SysWOW64\Glpepj32.exe	Gefmcp32.exe
File created	C:\Windows\SysWOW64\Hmdkjmip.exe	Hjcaha32.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jhenjmbb.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ibhicbao.exe	Iediin32.exe
File created	C:\Windows\SysWOW64\Gkeeihpg.dll	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Oopqjabc.dll	Llgljn32.exe
File created	C:\Windows\SysWOW64\Aqgpml32.dll	Hjcaha32.exe
File opened for modification	C:\Windows\SysWOW64\Ikjhki32.exe	Ieponofk.exe
File created	C:\Windows\SysWOW64\Aekabb32.dll	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Jpbcek32.exe	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Eoebgcol.exe	Efhqmadd.exe
File opened for modification	C:\Windows\SysWOW64\Iediin32.exe	Injqmdki.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Llgljn32.exe	Lemdncoa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	1756	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lofifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iediin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhqmadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gefmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfkmdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaokjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoebgcol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggmldfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjcaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iegeonpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glpepj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieponofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iclbpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjmmdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikjhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll"	Eoebgcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fijbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikjhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glpepj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgoqijf.dll"	Glpepj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcjmmdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnhnc32.dll"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgklp32.dll"	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfqdk32.dll"	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eafkhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcjmmdbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gefmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eafkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efhqmadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll"	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmdkjmip.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2700	2364	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe	30
PID 2364 wrote to memory of 2700	2364	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe	30
PID 2364 wrote to memory of 2700	2364	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe	30
PID 2364 wrote to memory of 2700	2364	7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe	30
PID 2700 wrote to memory of 2680	2700	Efhqmadd.exe	31
PID 2700 wrote to memory of 2680	2700	Efhqmadd.exe	31
PID 2700 wrote to memory of 2680	2700	Efhqmadd.exe	31
PID 2700 wrote to memory of 2680	2700	Efhqmadd.exe	31
PID 2680 wrote to memory of 2740	2680	Eoebgcol.exe	32
PID 2680 wrote to memory of 2740	2680	Eoebgcol.exe	32
PID 2680 wrote to memory of 2740	2680	Eoebgcol.exe	32
PID 2680 wrote to memory of 2740	2680	Eoebgcol.exe	32
PID 2740 wrote to memory of 2552	2740	Eafkhn32.exe	33
PID 2740 wrote to memory of 2552	2740	Eafkhn32.exe	33
PID 2740 wrote to memory of 2552	2740	Eafkhn32.exe	33
PID 2740 wrote to memory of 2552	2740	Eafkhn32.exe	33
PID 2552 wrote to memory of 1772	2552	Fggmldfp.exe	34
PID 2552 wrote to memory of 1772	2552	Fggmldfp.exe	34
PID 2552 wrote to memory of 1772	2552	Fggmldfp.exe	34
PID 2552 wrote to memory of 1772	2552	Fggmldfp.exe	34
PID 1772 wrote to memory of 2396	1772	Fijbco32.exe	35
PID 1772 wrote to memory of 2396	1772	Fijbco32.exe	35
PID 1772 wrote to memory of 2396	1772	Fijbco32.exe	35
PID 1772 wrote to memory of 2396	1772	Fijbco32.exe	35
PID 2396 wrote to memory of 752	2396	Gefmcp32.exe	36
PID 2396 wrote to memory of 752	2396	Gefmcp32.exe	36
PID 2396 wrote to memory of 752	2396	Gefmcp32.exe	36
PID 2396 wrote to memory of 752	2396	Gefmcp32.exe	36
PID 752 wrote to memory of 868	752	Glpepj32.exe	37
PID 752 wrote to memory of 868	752	Glpepj32.exe	37
PID 752 wrote to memory of 868	752	Glpepj32.exe	37
PID 752 wrote to memory of 868	752	Glpepj32.exe	37
PID 868 wrote to memory of 2844	868	Gcjmmdbf.exe	38
PID 868 wrote to memory of 2844	868	Gcjmmdbf.exe	38
PID 868 wrote to memory of 2844	868	Gcjmmdbf.exe	38
PID 868 wrote to memory of 2844	868	Gcjmmdbf.exe	38
PID 2844 wrote to memory of 2140	2844	Hjcaha32.exe	39
PID 2844 wrote to memory of 2140	2844	Hjcaha32.exe	39
PID 2844 wrote to memory of 2140	2844	Hjcaha32.exe	39
PID 2844 wrote to memory of 2140	2844	Hjcaha32.exe	39
PID 2140 wrote to memory of 1748	2140	Hmdkjmip.exe	40
PID 2140 wrote to memory of 1748	2140	Hmdkjmip.exe	40
PID 2140 wrote to memory of 1748	2140	Hmdkjmip.exe	40
PID 2140 wrote to memory of 1748	2140	Hmdkjmip.exe	40
PID 1748 wrote to memory of 1944	1748	Ieponofk.exe	41
PID 1748 wrote to memory of 1944	1748	Ieponofk.exe	41
PID 1748 wrote to memory of 1944	1748	Ieponofk.exe	41
PID 1748 wrote to memory of 1944	1748	Ieponofk.exe	41
PID 1944 wrote to memory of 1716	1944	Ikjhki32.exe	42
PID 1944 wrote to memory of 1716	1944	Ikjhki32.exe	42
PID 1944 wrote to memory of 1716	1944	Ikjhki32.exe	42
PID 1944 wrote to memory of 1716	1944	Ikjhki32.exe	42
PID 1716 wrote to memory of 3020	1716	Iebldo32.exe	43
PID 1716 wrote to memory of 3020	1716	Iebldo32.exe	43
PID 1716 wrote to memory of 3020	1716	Iebldo32.exe	43
PID 1716 wrote to memory of 3020	1716	Iebldo32.exe	43
PID 3020 wrote to memory of 1600	3020	Injqmdki.exe	44
PID 3020 wrote to memory of 1600	3020	Injqmdki.exe	44
PID 3020 wrote to memory of 1600	3020	Injqmdki.exe	44
PID 3020 wrote to memory of 1600	3020	Injqmdki.exe	44
PID 1600 wrote to memory of 748	1600	Iediin32.exe	45
PID 1600 wrote to memory of 748	1600	Iediin32.exe	45
PID 1600 wrote to memory of 748	1600	Iediin32.exe	45
PID 1600 wrote to memory of 748	1600	Iediin32.exe	45

C:\Users\Admin\AppData\Local\Temp\7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe
"C:\Users\Admin\AppData\Local\Temp\7cdb2ba36ddf5c5526f900ade4b74422e2baed2fa37956a67187e9384ef893dd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\Efhqmadd.exe
  C:\Windows\system32\Efhqmadd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Eoebgcol.exe
    C:\Windows\system32\Eoebgcol.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\Eafkhn32.exe
      C:\Windows\system32\Eafkhn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Fggmldfp.exe
        
        C:\Windows\system32\Fggmldfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\Fijbco32.exe
        
        C:\Windows\system32\Fijbco32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Gefmcp32.exe
        
        C:\Windows\system32\Gefmcp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Glpepj32.exe
        
        C:\Windows\system32\Glpepj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Gcjmmdbf.exe
        
        C:\Windows\system32\Gcjmmdbf.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Hjcaha32.exe
        
        C:\Windows\system32\Hjcaha32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Hmdkjmip.exe
        
        C:\Windows\system32\Hmdkjmip.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Ieponofk.exe
        
        C:\Windows\system32\Ieponofk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ikjhki32.exe
        
        C:\Windows\system32\Ikjhki32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Iediin32.exe
        
        C:\Windows\system32\Iediin32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Iegeonpc.exe
        
        C:\Windows\system32\Iegeonpc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\Iclbpj32.exe
        
        C:\Windows\system32\Iclbpj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Jjfkmdlg.exe
        
        C:\Windows\system32\Jjfkmdlg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Loaokjjg.exe
        
        C:\Windows\system32\Loaokjjg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Lofifi32.exe
        
        C:\Windows\system32\Lofifi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 140
        56⤵
        Program crash
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eoebgcol.exe

Filesize
1.2MB

MD5
168f2f1e1d234c1bbb64bddc4aaf9516

SHA1
8499b9794df378a24de5af63d4bb0477261e90d5

SHA256
648d9dd8a5a55857f6ced4c05ac83154484a69298ab908b2bd1ddfad339d244c

SHA512
627cac85596d5b4a83642c74de1956e0f21b4d588c23050cb61b1af1217b404c68adc267aabe7d4695dcb8e7f21fe45ce6538f9cc122611f28d498bebaa20018

Download Submit
C:\Windows\SysWOW64\Fggmldfp.exe

Filesize
1.2MB

MD5
d9cb91366c3d83d919acda0d98a617d2

SHA1
b27a80686c438a1c07310c755c29345c7febad8e

SHA256
75701e74cc0815bcd300e34b6b9564376d0aca219aca0f0dd8f8056d0c0c2ec8

SHA512
b42685bdc310eb71eb3aab329a05ee57988e5f351ea3550a7225c86c9b90d9378a0b44d7a1d4af5aaf1fdcc0f646d488e8c4c889acaafc84a4796c73df1b9afa

Download Submit
C:\Windows\SysWOW64\Glpepj32.exe

Filesize
1.2MB

MD5
d0ef0c64e4e424bbe5bd013a832c7f4e

SHA1
63f5fea08495e891965f4d2411db009201fdafe0

SHA256
6c4ba082c1568d227aa50454fc203381fa861a8cb64e11a19e308cbdebe0e33a

SHA512
76c3617ae2f701a62e3a43ec8c94cbdad359d19f9cce4e53e34a387682ef1677ae5527e397bc8221f27cd5bb27ee714bdfa2ea4adc9ac771a79598b7de368194

Download Submit
C:\Windows\SysWOW64\Hmdkjmip.exe

Filesize
1.2MB

MD5
82a7c78b13b33a586f0c7826d93d3166

SHA1
7fca12ee23d07aa33f757616ecea3935bfffbb61

SHA256
5f54d9eed567a48194aab00a1fa65b605b8f618b7f30a2298d6fa4169e53764a

SHA512
d94e60443d9c633aaf2b392f7ad820095802a6ce65a269bac808d337e5cdd2a4b8ae5b0d1ed5a30dd66dd1eb69eb959f6b0cb9df1352715accc77967b6df9d3d

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
1.2MB

MD5
bfc0fb25c71abc36952ad87718325a81

SHA1
84ba1aa3fe41bf6d0096bcddcb224d0598b26852

SHA256
0fbc14b6548dc58de186401ac29fa65f5c7a8a161186386cae19800bfa987e06

SHA512
7f0e252cab1ef9fdd09a44f9233ae1f3584c3b2376e24dacaabf21fcde3401cbd945ffc697273a2e7a00422194f916aebfe012fdda8405d053d0a913fc373784

Download Submit
C:\Windows\SysWOW64\Iclbpj32.exe

Filesize
1.2MB

MD5
d299fdfa0b770daa5f9dc24a1c9ca02e

SHA1
da3ac2dc64a0bcf28037db63762a030149f6b631

SHA256
290d0d344b437b0a5ba6791582ff4545cfa398fbb5d4c1bb522800dfc25c759f

SHA512
d181704ca05834d0ba96fccdd3abc969e5d64ca6f3fdd899d0adf43aaab6e2cc4b7371ef5f22d223dc94dc76bdfec6f04b20ad3336bc2ae2c235d576ff7b4161

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
1.2MB

MD5
e3db8383850dd49363a85183078f7e6f

SHA1
efae5d84fadac7b8963d9b2af0a868d139b3c2f6

SHA256
575b562b7a3b787760b2fba783ce23907e3c7f5809f863d9a8ec64628e9e5fa0

SHA512
aa73c8584eaa51f2486a3387716aad1d7d5e67de8f067ef7c7185a435ff7d4326b446c04389bc0626c88937525b56a18bf479427ae02123e206d3592b34fbd9e

Download Submit
C:\Windows\SysWOW64\Iediin32.exe

Filesize
1.2MB

MD5
28ff08b55242e9589d03551306798a8f

SHA1
3a87c2bb024da2bfe8b26d0710b2370d4d663e62

SHA256
dbe8e00b8a2139c9a92a18f7201b66d9ff873d8477c5df7b8401c528c26bc4c1

SHA512
4f0b12b200925f5f10d8a66c9f550a22e333a838d826d2731309759ba58d219cc1c82ca9578c07233e362fc02c6b7dc3dd48aed5fc45ef927b4e1ce47635feab

Download Submit
C:\Windows\SysWOW64\Iegeonpc.exe

Filesize
1.2MB

MD5
71b0506c1773d410f80951a48e08d8aa

SHA1
775d57c1b8911639f82b17c7f47ef8ebf8168f8e

SHA256
f7722c9f877b205b6364ac11b6448e74518a2b6664dfa6390b9bdb1b1fb82e15

SHA512
4be7e39d113124c60a1a19374896cb7f67a7a6ae7f041c3ba24499dfe242e540aa0356f853e1b05d9889984d219906a6384a18f9074ec258bb62065227357e3c

Download Submit
C:\Windows\SysWOW64\Ijcngenj.exe

Filesize
1.2MB

MD5
b9374fd66be90dc15b51692cbd8d6457

SHA1
d1ccc5af9d2794ef63b1386ca67b1523a1559abc

SHA256
411a5a0198d5221d55f08d2e62e1f97a2afe9b36882d3acbe207e69dd192d4ab

SHA512
5c3f372718408a22ee071719396f5bd9975c18798c317e24830f0f1b1529aad1a21623c5537d9311271eb7f8f7ef03fb7db69d41b0441646ca0a4ab2a572b450

Download Submit
C:\Windows\SysWOW64\Ikedjg32.dll

Filesize
7KB

MD5
4a8c1784942292daed460210628c070e

SHA1
ec1efa854b5ceaa47f69fc258a37ce0c7c4f38ab

SHA256
ae2d6d97b692bda66d7d10fb6e5dad9e52e0b7240783ba0032363c0cec56e1e5

SHA512
ea8af93244d75f83cf279fce2da738d9451fdb378dc8c205ed34ce0ea6b93d9af0d38246da14f52acf8e46d100c0add2ff73220d795b9c76a4ae3d3fbf563183

Download Submit
C:\Windows\SysWOW64\Ikjhki32.exe

Filesize
1.2MB

MD5
d0d680a8981a91beafba6d86acde3851

SHA1
93ea91778b5f591b78b6154a9e8693cb3082c751

SHA256
f96d41c58748f665893918f24080149d0ac0353f35205697e130f30770cf6a51

SHA512
74b453a39577a8bb9292fd2be68c0c2b17b19975246a974a89e1d19a7d478b8938d811861e0c356cbeaf058a4e57dc5ae9e279f14eca33b898f7a991ad2f4e06

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
1.2MB

MD5
2740f5498debae10eeea6ec60c4ed340

SHA1
a2b45e7e66e0b50a3b2467cf05893b3636ec53a1

SHA256
d8dddecd87c2f701fa34d3efb81cdf8930b11a2fa039492ef92925bb4e9a6108

SHA512
a0436017607feae0f40797a4fcb44d913f614a9e8017240e4f2f54755d871fbd37ec73c5931e17a30a473804ecdd68ab5c0cfc6f9c0f299dd687838e1d6f8542

Download Submit
C:\Windows\SysWOW64\Injqmdki.exe

Filesize
1.2MB

MD5
e917f676759ad7f62fc6353ecf2d679d

SHA1
d65bdb4d7aa8e73ee8ddb1b13a3cd898e26f156d

SHA256
6bdfdc1512b7fafd3cbf999ed7492d218fc01a58cc933acc89577bdf356d7a95

SHA512
cb626700ffc2b5a32b523d8cb30d4363b823d312c98e90ea1c1c19da6d10a6d9b08ae1e5f3b2ed276e324b02caff82059219fa81ae17b8b01b57a1110dd69309

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
1.2MB

MD5
869082ee6583143a9bfdc27190533abb

SHA1
be5f5b7ea9a4e0e0c66cba17f1ab338f40b45fc4

SHA256
e97bc8568e788d38a977c27f0842a35cc076fdcd804cdf27e2fba12a3f27908d

SHA512
b983a6f4aa1da7b1909e5d2585dfb025cd0412205bc729d7d6d78ae99e91807d2f08ef3a01f55fe3e262f571556f5eb7e0510e87a570e33d05c7a6a76d483323

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
1.2MB

MD5
dc01f5d4f9f55be5dd6bcf53710e8e9a

SHA1
617bf6e5ea38b006a2576620180359b29a564271

SHA256
a5815550fe0c9676b383b8ce6c8e31ec98f5fbf1296067cb4e73f866e632bbdb

SHA512
f79c990b92e045be77a376b6125f1f5a6843e28d687c037e4b78d927ddd75652b4978cc4a27e8699868e64b902fbd8b53a2928cd0a083d029d66fc6b9130cd9a

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
1.2MB

MD5
b0ecf2267a1a09ef5b6c329721542f74

SHA1
d1d168ddf6ccc6fff20594496ad570cf69c6d501

SHA256
6caca2e614b5b031c5715d928e962a91572f88f947a571c38e9c4d41d9dddd39

SHA512
b58d3bb0d075aead374b8dd5c9886b9b0da01782213ef14a00be6632cebf1e17d5327678b5c42d620931bef6279cb3bdf66addc35a1407285a63132d5a2702a4

Download Submit
C:\Windows\SysWOW64\Jhenjmbb.exe

Filesize
1.2MB

MD5
f3ff50921088a0523a62425a5f3c21cc

SHA1
2608368f765e2f19ef5d3d306e41a7adb2dfcc97

SHA256
42c961a8f6e190e244317e2e3465858e1606f4239a1c7afc0974ba51b0ab71ed

SHA512
adf59cdcb94cc353528e897da3319e3a6503d036b00b673177cebb99f743b0b9a46875fbc0956dd7e6381994f0df4eb749fb0b4cba3ca669bf2bb93fa50e07fc

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
1.2MB

MD5
af7ee083444a568db181253052f04843

SHA1
cd4e57641a83e8da3231817a41d6a704c75e1625

SHA256
99da9f29bca188d679513238d99e33fae6af5ad832d8e22d117d1c9c83edbfe9

SHA512
ab91b877e305427ba1f878be5d050c40d0ff2be551f0fd264b3444ed9047104240a83b08aaac9ccaffa11bdbef09abefc426b9e8a52d722b40f03dfdd0bce800

Download Submit
C:\Windows\SysWOW64\Jjfkmdlg.exe

Filesize
1.2MB

MD5
9dfd57291c973f16672067df85428e4b

SHA1
244f82bae3ccd63b4dae785e04d8e9fcf772c63d

SHA256
0fb3e83df74319e9c72627b554ee6faa97d632fdcd67c0188584446cff42e6e5

SHA512
c8e11ee4e6a03042e395a43a41c3af260573ac20980d72a432dc76d14fa3875e99fce0337fe917d7b6a1f7965bdd45330fee9d078797b8db728224d353d802c4

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
1.2MB

MD5
32efe783fa3ad6959811d8ca5cb9557c

SHA1
41c8846c6f1c84ed10e3c3e54a49f0ff386bc98e

SHA256
a7f9754eb19fba3bed05f5a593617c5445c41e86e3756446eb70c189cea49de9

SHA512
ab5f147a66e409ea27ee676babb9a431bb0acadd33d87923847ca7014415fb25cd308afd867d39c13eda69e9eb733fdbb876c22c64dbf8a18c3ab4cc1182200b

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
1.2MB

MD5
4fbb60b30576e4c6610c22ad08dc6ebf

SHA1
980b153fbc7f25aca04e289638ed6128804afcc9

SHA256
1bdea7e4c22f93ba1606a126d4381297ae1b1dd0704b9afcf2f6841140662067

SHA512
aef4b4d0178d3b10632c85181ec54309e3262463d3ad3ecacc6fd7bad7b2cac3ba247b8b343896da3a6266df37912e1a7ee06257ffca301896344f79e125c6a3

Download Submit
C:\Windows\SysWOW64\Jpbcek32.exe

Filesize
1.2MB

MD5
cb77880c4b6ce71035807948537abe2a

SHA1
b536ffbbe184460d70d503ddc48e08151c3cec22

SHA256
77fbff0f0493f5c1bd3264845c99d41aecafb9d63bab69151ec05bf4a232f0c3

SHA512
d084205e218f69defed38d24174c1362715a22b571b777b6d3449327053659617ab3a554d4c86111ec381058dec6d18dafca1f638e321d648e9a628567502f74

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
1.2MB

MD5
cd0d00c13f3901b16aac5af6671aaad1

SHA1
047ba133d9056c12fe84c6d50d16151fe382c677

SHA256
24e6f520961d4976e06d48f9d14ee9efbad3a0cf4edcacf2a995a6ed4eb60506

SHA512
8f56316149a611f01705d842aa85d89e8db0f1c6fdde81e71ae9b6cef8e75f9038c69643b0effac9d08454c7a9d99270709cb31ba79a22105f449f340372eec4

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
1.2MB

MD5
8864779afbea40ebc520ec2219cb7d5c

SHA1
d5b49438922f27652cb13d7c0d5612076ffa5ac1

SHA256
14c29aaf85784fc65e6a0f2d1ec14e7f2d0abfdae93538461da07929f40af31f

SHA512
b90257210948095640138ae9595184ff996e36bc1c5eb9a155490557eb9cac2de98237a2422bb9849aa2fa2508985308ae726957b645a4cd3786b5475c99673e

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
1.2MB

MD5
8836d177c01f1298347dc97042147666

SHA1
b5d880e0c72eeddc9381024091443a6d1327e9de

SHA256
05ec41f314456b59981414d96e2aca8127138388dd5b1a5013a0e28ded4660c4

SHA512
3eea508570646bf67ded39d66cd5ac901322cfcd64bbdc021ceabc9c95687001b79f0a7b306da3d28665843c5335824e8c1f1885c463676a88ef53ebb14a018a

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
1.2MB

MD5
13fc80720d30094028f517bfb6aadbee

SHA1
0e45ab8c6dbfcbb2bbe37c9c2792695e1495182d

SHA256
0a45799fc5055b27bdf7d62fba5a1b1b30a105c1730f315675588df87b56f172

SHA512
1a26429c29ab06970d787e98dc3e8951d73be55e18df640432ca11b2e90cc960714de7fa0bdd9f4d4b4a2c5c7f37df90d761ed2796b686299eaf7fce48577007

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
1.2MB

MD5
130a714a48b0b0cfca2546f2923ce785

SHA1
cf5aa2da5df54d11ea13b9aac67bdc4fb747a927

SHA256
eca4917f9c9738b862b682ca25d82852c2374de1eca4477ddc4aec5b3b80fef9

SHA512
9be53674802728954aa892c7424e92b2c65797693569726841cb34701a043f5ac9f767a406eef80060a47e47416e4c7f7fc5a6b4ef7366ed500171a318173dbe

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
1.2MB

MD5
e6c625909f6a136d2ca5638bc74d5e85

SHA1
a47869e56e5397943bc2819175a97a72d66a65d9

SHA256
58a8058eff91bf52841373c7059e4abd467cc140651c5273663e2ec9f4b929de

SHA512
adadf343b71b48aee18a6793e59b61996f910623f2c8ac42a17f367dcd3cdce288b16a2bb4ff24c69ed4e928cf28a7f8e6b4aeb87aefe12edc68a84d6b1170c3

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
1.2MB

MD5
9a70df0d9bdec4c0b85854d937451ba3

SHA1
0b1fb129e74c99308f97d9837da24d70f1d421cd

SHA256
59bdac06df894a62df926f2cbab974f8e5e6ad26ebe39c19fb2ae42f9fd9f487

SHA512
ce145a7cfddd0a3b0c48d6a89d9fe985edfe825377a18c15f42b3460467b8d13a93ddcda9e32d1ada965aaab29e040c9e41c90aff35341dc8ab9d54fb1c77780

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
1.2MB

MD5
ca5c6ebe3310acd898ac9f3b98163b4b

SHA1
54ece3697f5d8369f786c1469b716de14559dd6c

SHA256
4edf97b1b28fd9d5e2fd37cac170e99ba8b2c4ce30a64abb0f9a72d574357ef7

SHA512
317525f544210545a342440c15e31f40c6883f413e4638389eefd5a9603158ccd98283e5e774def007a6355d6ae1b7e4db0350dfeb0c8aebf0e18707d70e53ba

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
1.2MB

MD5
e92b676f6a58a4e283ade7e54d6fe6eb

SHA1
ed8f703c0c5b3bd86c8d3cfc7f8f689781968102

SHA256
0901edc876454b2b9aea5b62f3580e2fa6d42811088aaad63f48af08b7a54eb6

SHA512
2c1bb0647cacfc8db51d90342282d2ff0309566b6952ddbfd2985dd99889e01db6b4004b2cf2c1dc8fbb00140b846387dc938b73a35767ee16c7572acf4ee95a

Download Submit
C:\Windows\SysWOW64\Koaclfgl.exe

Filesize
1.2MB

MD5
59b7168930998029e7e40d589d65bf32

SHA1
c29888194616e5e6bb240504d5a8c3be69b2c822

SHA256
4e356787c5fd4bf9b8209be6af858a5f190b63ef36ced05a29057502c57b9116

SHA512
d1bb2eee89ce49c78dbade03b66c6456e40993766360a2e8dd5e91502db1fe392ed1ce4ed656fe35919c3d14ae96b730eb576be476197ca0f137ec1c52866474

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
1.2MB

MD5
f2b9606044eb0660044e418d3a1fa068

SHA1
bf4530d18268589a98e937cf176d22a3ff674327

SHA256
07f047a16f89167051218b28f7be75d63462876a060851e31185f3d889be1eb9

SHA512
02f13b81413c3fa657ffec221f9355b69d30d5546d8061300c7d91a3929e6b3c843040e5eee5be3bc12ab7a52c919fc1ccbeac15c1cb9b43e453a468adc62adc

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
1.2MB

MD5
c23561475f348acd9767adc80b44d02a

SHA1
421118b808b5dfd4bfb1096a0ef9e805197e082c

SHA256
3bd94b267db320d69142764dc2de03321e1659ed501071ff6e9d7517b7782815

SHA512
82c45df1ed24f45f0e5dadd93acea5a1a9b49bbe4d562aece677ce7df5204ee33401fc4fc9008233d103392158ac49ac1d08573c5e10afbae0cdf9bad2b70b2f

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
1.2MB

MD5
17b5f5e7eb4d9c3a3dc8619a217cde27

SHA1
44d2394e08f1003e7d0dc95180a4a9fafbc3cc07

SHA256
57aa763a921179bab465a23bc88e2940c1acb0c0b69dc9aa57ff48c2f649444d

SHA512
c50a61109e23e9d6ccd8769aa5776c7c65765c16992160dfc0159bdec7618e46ec21dd11ba50e4a4fb4d2aeba014b143a96f5ad77086f2092aad3817074de611

Download Submit
C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
1.2MB

MD5
059aa33a7ff8ab393fb16223ba478d38

SHA1
4120a1f1d610a2798a3dd316565af068a14a54b1

SHA256
cd185400dd76675ec8cf86601c4bcad0d34ba47f6c0b6c90fac9f2adc70b25c5

SHA512
a9d9ed80dfb4aec1fd4a3879826ae459fd5c259afd622f281814a24c1becd93ed68ed9e8e4b07b31a04a84ebb85e5ace798f289e69acf0ea1e07aed0a2fcf915

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
1.2MB

MD5
2553301158e1d91f729ac04f46bc3266

SHA1
2bcc4c95f1a387f7311331ff7da3aa8fc9ba2abd

SHA256
1c2ced95fa54fc5e91c9a6a94386e4015e982dc2f7514ced6ec5ab604558f358

SHA512
3af9f440dd1a11dd5e8176ec58cbf179f6ea0c81cad61ca4531c5b5c407ee4182e1c50f12bf25588885f2a5a0da522f2478ce7b192dd92153000b4bb58373406

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
1.2MB

MD5
cd94e42301b5feed3720b843cc883b0c

SHA1
ad549a99c734d1c6d2683d2af58841b3ab22bd0c

SHA256
77630a09192b577801148dc727cab162535f296b6fe01d8d477dded6e1a65ea2

SHA512
236cdfff016a0bea4ed4c5f302cc24c46c1b2784a822d7fa5c026ae1e8fedb610a0f931db226f19b6cdc79d131c1c489da1954d768555922f93f139fd1415bdd

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
1.2MB

MD5
e70fbd3f066f8135a30ae6f4543e207e

SHA1
b5323fa45cd8d05dc7e03d034e6952344bc3df27

SHA256
62e37589d96c598e02589a90963965026fccb286f3d9a1bc1029ca6f742d3bc4

SHA512
78999b5862f164d5f59563982a3fc943d2f961ac8419d817205bf0f035d2dc9661e114c42925267e9ed6141567c9b1bfb6fa3d45851d30b2d8d474c999b7028a

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
1.2MB

MD5
eed04bd4317c5bdf63b4042e2bd34a34

SHA1
56f63f7e2fe7c3895a6207c860b7aa46fc6c114a

SHA256
679a8b7bf2a23c2731d04c13da035b86c51450a2fa2a4b5cd9b57c84dcffcae5

SHA512
16b929304af200051f7a8bfba13c4a4f05af03216cd4aa4263eb92fe809841c28566e9ea99ba445a9bfb5873436f3fe046fc9eaa4df415a399ff571efd40ce83

Download Submit
C:\Windows\SysWOW64\Lifcib32.exe

Filesize
1.2MB

MD5
2a9b572dda69a3823f1d8d796e5ac5d1

SHA1
d3ed4e4392bf7240d75d5efee9c7248bd0b390f1

SHA256
49edd1632cb963c384552183faf3acfea66cbabcc74f42b32fe4eb79fd27d4ad

SHA512
1120ea616ab45f7c7b5d142f04c0696f7fa04fa25ab565ba38a4877029b2a178a3df067a1739ccaa484958b4293b104c2ecd1b7a0678b8b97e67dbc7bd19d6f8

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
1.2MB

MD5
285cf533104db73fada35fb895392a08

SHA1
6d914406373c63cf5bb43beff15b71ab86ecdc54

SHA256
d4d1ace0956b2134f0d81bd7007108c4f8b7c444f99db869270b9607ac018f4b

SHA512
734b6bd377623e03c880b92c5b73a5578679980118895ef2b79457dd8a0ff2f4c2e284fb29f70f30aa8f6f784ab1d0b34d252b9919f4dcbbe1c79050c111c080

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
1.2MB

MD5
ee86e1b6b0b8a24b1ab8940374b4fb0b

SHA1
1c6c702dd13d22e6554afd5bdcb571aa83c763d6

SHA256
43d44d4210899945588517ac7d138e08b1a969e9d6a20a59b14713c36eac0eab

SHA512
4c0f97061657ff6eb9d9fb364033a2807a729278a3703782b7b44ec2a0cc0d1341e623b42738b4d286f62b9105619c917369d0eeff14f1fa5007862ca81abc60

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
1.2MB

MD5
8a516e3a61aff130b5edadc77505acf5

SHA1
c39dc9af16400d4b422b98854ebbc18a47ac6037

SHA256
1db6ad9a4c454f437369f22403864ad64da12addf29bdf16edc3154cb7a6af77

SHA512
68c440efcd1fb938a827976000533f083bdd745e9dcab68b8c7365b541f1dd668dc695e74022a263c6f9e6a34b97d141c255889d5529a70985a48b6cb66821c8

Download Submit
C:\Windows\SysWOW64\Loaokjjg.exe

Filesize
1.2MB

MD5
8d023e8fd479c5a2b863aac5ef55dea8

SHA1
90ea872fa243584d3abd4faa0d9fb3cd0aa5073b

SHA256
aa5ecf3b7e88bb32de0f8fcc181b08cc6f427e5f4dd465343d60a609ac246568

SHA512
1e1e83d7815981e7c2a3888c86f8a88b893c10de2e057fdc03cf61816e8777a09244c7186e0ab3f2abb8bd88005e087622e19149eac753b25744b16e3d3ea915

Download Submit
C:\Windows\SysWOW64\Lofifi32.exe

Filesize
1.2MB

MD5
1da31b623f8c386c86bd9662363bb63b

SHA1
fa2a44a916b523a242726bfa6a8470cfd0364806

SHA256
4b1cc1c7494e809a597be84ba90e3dfefedf47f282d7b5359209610bb56166de

SHA512
958a2ec32501843fa8421879a405c70c58713625a4df6c82e3692b5e19045a3a098339afa52dd0799cb279b8b4740634f739c5e94a11b8b0beec873d20387a40

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
1.2MB

MD5
fd3476020ae3c109e2cc740563842b77

SHA1
59ae73358de8f0222d14788ab4f0832ea732e578

SHA256
5570fcdf6a9aacdd6e510103eae55d783fd518eddabc49320cf013f37b9100db

SHA512
29526e4a6080b7aadbbc0ebcc1ce4bbeeca6e06dd5d02d2fb16b830b6873636d007ac8b68fe65a5913e1f24daa262f3101d63e116a8982c84d8b2f75b14bf701

Download Submit
\Windows\SysWOW64\Eafkhn32.exe

Filesize
1.2MB

MD5
db31a2458a3cbf4eb993e912965972e4

SHA1
cdf3bc06aec96623f8485d3a150d413f53891b5a

SHA256
418abe298654616d347361010620e87f50a68691a35978b3eea56c4430e4016a

SHA512
d73ace4183a26dd19a23fc789a19b2cfc72aa0be4c32827db65c3b4728885f638e3ed169681a3744590885dc80f0763a00c344d762f019a383e1fce702215256

Download Submit
\Windows\SysWOW64\Efhqmadd.exe

Filesize
1.2MB

MD5
2868048636cb746333ff6fb3c9547d99

SHA1
f0d03e7d16f26892c6ed50d20887c2550e4b64a4

SHA256
b1c2a85e707cb0a76edf4538704dd51722df4c5915d01a72b88d2ed41a29d973

SHA512
36967b68ca827a10fe4b93c9d1cc924d052cf10ce376eb66717316b503aad68fd37977403d240f1b0493110b0baef73090856d147290b84058bb6dc9643f6553

Download Submit
\Windows\SysWOW64\Fijbco32.exe

Filesize
1.2MB

MD5
1dc5880d620d09a28beca1efe8ddc558

SHA1
c6fc466170c2199db8e57de564750df129b4d48a

SHA256
1bfe313414b0d676071efea79cd7d63f6147284c29a005fd34215d34193fbb90

SHA512
ccc8814fea566a9cfd077f13821e01c1ae9bf8aa3e98b9114795a1a28a58bc044dbefb6373c69b56ba4fad0f5a934ba925c09e3ff18a4f13c6c974ddd072475c

Download Submit
\Windows\SysWOW64\Gcjmmdbf.exe

Filesize
1.2MB

MD5
505bb153ba7a5b3f2ca390bce5401af5

SHA1
058193fe69cd3a5a24d78d72b4cb4a74a799eec6

SHA256
8b2d2b18f9fca2384c0673c4d9e34b7ee5636047751e0f8611f62dae0483474d

SHA512
6fbdc1a973414dec21c4fc30f99da3aa85555b3a45d12153d8e1579aefd96e7b1ecbfc0193fef14937da2355bf858415e4775bc28dbe9df2b7b6bee08817296b

Download Submit
\Windows\SysWOW64\Gefmcp32.exe

Filesize
1.2MB

MD5
0e730f5eb5f337be50bd59d2cba2940c

SHA1
19f0374680aeac87e82169d2f771baac87e898e9

SHA256
9462aa7d74c6f9926a2eb205f7a056434ac022ad4b520a1ef7dad9c5ba164690

SHA512
aeb8b132ab9219857c4c4f0f92bf549ef8a1718d0418586e943b0d52763c0cc03431bec5cb30976e47c0cd1a07ce6dee71b6fd0167b48be76ee65c523909fb7b

Download Submit
\Windows\SysWOW64\Hjcaha32.exe

Filesize
1.2MB

MD5
af45fbfd6b27f48a14c9fa377e5afb7a

SHA1
eb5c8bac0fc94a543e04b11b363e450ac2dac121

SHA256
1d6e463dad2be7c9eee6607de4ad3cf39f4145252027811f8f9177284dd29c36

SHA512
15c661bac3b864e90b6491fdaf986c41d1401207e5bd0fdbe748e6b8e317e27a899ead4b5a91d886ed15243b3bb3dfb24b500c1ef8ec852a11626b127cbcad76

Download Submit
\Windows\SysWOW64\Ieponofk.exe

Filesize
1.2MB

MD5
b75e0315b39d6901c583e1cc1447ed4e

SHA1
c9a9fd486fbc9d317b928fd30c116e48300a49df

SHA256
8cc700b8f855efd88521b4a9ac095be0355b5ce59763a8d8d3a9fc4839f0baf0

SHA512
ff4032909e386f2ccec03b717b6220f3a3a7d689eae31cbe348b25d825a230a474b2080d16cdc59eb99225a3ea5932af51e400ee538a060a866acfd47071b7af

Download Submit
memory/340-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/340-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/748-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/748-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-163-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/752-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-116-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/752-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-126-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/868-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/908-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/908-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-445-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1640-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1640-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-338-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1688-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-370-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1700-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1716-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1716-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-132-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1772-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-434-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1812-391-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-401-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1836-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-409-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2072-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2140-158-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/2140-207-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/2140-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2140-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2364-57-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2364-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2364-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2364-12-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2364-6-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2392-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-97-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2396-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-423-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2400-455-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2400-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-72-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/2552-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2680-37-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2700-71-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2700-25-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2700-26-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2700-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2716-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2716-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-42-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-55-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2748-346-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2748-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-192-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2844-147-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/3020-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3020-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads